Iranian Hackers targeting US oil, gas, and electric companies

Iranian-Hackers-targeting-US-oil-gas-and-electric-companiesThe Hacker News reported: For all the talk about China and the Syrian Electronic Army, it seems there’s another threat to U.S. cyber interests i.e. Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.

Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.

The officials stated that the goal of the Iranian attacks is sabotage rather than espionage. Whereas, the cyber-attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business. Mandiant announced that the Chinese government was backing the attacks. However, officials from the government in Beijing vehemently denied any connection to the attacks.

The new attacks, officials said, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. Iran has denied being the source of any attacks, adding that it had been a victim of American sabotage.

Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. “It is also difficult to fix security flaws with these systems because they aren’t designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted,” he said.

Government officials also claimed that Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated denial of service effort.

Apple closes QuickTime vulnerabilities on Windows

appleApple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.

via h-online

Symantec planning to discontinue PC Tools security products

Symantec_120Symantec has stopped selling the security-related products in its PC Tools portfolio, according to an announcement on the company’s web site. Customers using the affected programs – Spyware Doctor, Spyware Doctor with AntiVirus, and Internet Security – can continue to use them until their subscription runs out.

Symantec says that the decision is related to consolidating its product range in order to offer customers fewer but higher quality products. To that end, the company suggests that customers looking to replace the discontinued products consider Norton Internet Security.

Symantec acquired PC Tools in 2008. One of the company’s most popular security programs was ThreatFire, a virus scanner that detected malicious programs based on their behaviour; over the last few years, however, it has only been only available as part of PC Tools Internet Security.

via h-online

Chrome 27 comes with better load speeds and security fixes

new-chrome-logoThe Chrome developers at Google have released version 27 of their browser to the Stable release channel for Windows, Mac OS X, Linux, and Chrome Frame for Internet Explorer. The new version, Chrome 27.0.1453.93, includes performance improvements with a new scheduler and fixes a number of security vulnerabilities – most of them rated as High – that Google’s bug bounty program rewarded with almost $15,000 in total.

Chrome 27 also introduces a filesystem API that allows the browser to synchronise application data through the Google Drive service. Among the bug fixes, a dependency problem which stopped Chrome being easily installed on Ubuntu 13.04 has also been fixed, one release earlier than Canonical was expecting.

In an announcement entitled “every second counts”, Google explains that the new scheduler in the browser makes pages render 5% quicker on average. The speed increase should be most notable with documents made up of a large number of images and a lot of JavaScript code. More details on the new technology are available in a white paper published by the Chrome Speed Team.

The Chrome developers have also highlighted 17 security holes closed in Chrome 27 and paid out 13 bug bounties. Arne Kettunen of the Oulu University Secure Programming Group was awarded $3133.7 for finding four different memory safety problems in the Web Audio component. Most of the other High-rated vulnerabilities also have to do with memory management issues and earned their discoverers payouts of between $500 and $2000, totalling almost $15,000. The developers have also shipped a new version of the Flash Player which means Chrome comes with Flash Player version 11.7.700.203.

Chrome 27.0.1453.93 is being delivered as an automatic update on all supported platforms. It is also available to download from Google free of charge. Chrome is proprietary software, built from Google’s open source Chromium project.

Microsoft warns of Facebook-hijacking extensions

FacebookMalicious browser extensions are trying to hijack Facebook profiles, according to a warning from Microsoft’s Malware Protection Center. The extensions, first discovered in Brazil and dubbed JS/Febipos.A by Microsoft, are targeted at Chrome and Mozilla Firefox and appear to be installed by a custom trojan dropper. Microsoft first reported on the trojans in April, but it seems that a recent update to the trojans warrants bringing further attention to them.

The trojan extensions themselves monitor users’ browser activity to see if they are logged into Facebook and then retrieve a configuration file from a site, disguised as a .php file, which contains commands for the extension. The extension is able to like pages, share pages, post, join groups, invite friends to groups, chat to friends or comment on posts. The Microsoft researchers have witnessed the extension posting messages (in Portuguese) about teen suicides with a video link that sends users to a malicious site, liking and commenting on a Facebook page apparently belonging to a car company, and sending out a variety of messages via chat, posts or comments. Links to other Facebook profiles are also posted by the extension in messages.

Microsoft recommends that users review their installed extensions. The extensions are detected by Microsoft’s security software, providing the latest definitions are installed.

Name.com domain registrar hacked

Name.comUS domain registrar and web hosting service Name.com has fallen victim to a hacker attack. In a recent email, the company informed its customers of an incident that potentially enabled unknown attackers to gain access to “email addresses, encrypted passwords and encrypted credit card details”. The registrar says that the private crypto keys that are required to decrypt the stolen credit card details are stored on a separate system that wasn’t compromised.

The company didn’t comment on the security of the “encrypted” passwords. Passwords are usually stored as hashes that can be further protected by being salted. Name.com has asked its customers to reset their passwords, and customers can only log back in once they have done so.

Name.com said that the attackers appear to have targeted the account of a major business customer. No information on how the intruders gained access has so far been released. According to statistics compiled by WebHosting.Info, the registrar manages about half a million domains. The company also offers web hosting and SSL certification services.

Internet Explorer 8 0-Day Update CVE-2013-1347

internetexplorer9logoMicrosoft has confirmed a bug in Internet Explorer 8, CVE-2013-1347, which exposes user machines to remote code execution.

In an advisory, Microsoft says the vulnerability “exists in the way that Internet Explorer [accesses] an object in memory that has been deleted or has not been properly allocated.”

That, in turn, opens the door to memory corruption and remote code execution in the current user context.

According to this blog post by Eric Roman: “A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the document and used again during rendering, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user.”

That post also notes that an exploit has been seen in the wild. Last week, security companies AlienVault and Invincea reported that a site on a sub-domain of the US Department of Labor was serving malware, and Roman’s blog post states that it was serving up an attack on the CVE-2013-1347 vulnerability.

According to Invincea, the Department of Labor exploit was installing the Poison Ivy backdoor Trojan.

The venerable version might be using a walking frame to get around, but according to W3counter.com it’s still the second-most popular attack vector version of IE in the wild.

Microsoft is considering whether to issue an out-of-cycle patch for the vulnerability.

Cross-posted from TheRegister.co.uk

Ubuntu 13.04 Raring Ringtail is out, What’s new?

ubuntu_rrCanonical has released Ubuntu 13.04 Raring Ringtail, most likely the last release of Ubuntu that will primarily cater for laptop and desktop users. For Ubuntu 13.04, Canonical focused on tightening up the core of the OS and  polishing the Unity interface in preparation for Ubuntu’s smartphone and tablet debut, which is slated to occur in October with the release of version 13.10. There’s also the usual slew of package updates, a new Linux kernel, and a couple of new features, too.

The first thing you’ll notice upon booting Raring Ringtail is that Unity, and the PC in general, is faster and more responsive. This is down to Canonical putting a lot of time and effort into tweaking Ubuntu’s core libraries, to reduce the CPU and memory usage of system processes, resulting in a snappier interface (Unity) and installed apps. This tightening of Ubuntu’s core should also reduce power consumption, which is good news for laptop users. While these changes will obviously help laptop and desktop users, their primary purpose is to prepare Ubuntu for its debut on smartphones and tablets, which generally have less RAM and weaker processors. While we’re discussing core changes, Ubuntu 13.04 now uses the Linux 3.88 kernel — a sizable upgrade from Ubuntu 12.10′s Linux 3.5 kernel (which had a nasty security vulnerability, incidentally).

Moving from the core and into userland, Ubuntu 13.04 features updated versions of Firefox, LibreOffice, and Python. The workspace switcher has been removed from the Unity launcher by default, and Ubuntu One (Canonical’s cloud storage service) can now be controlled from the system tray. If you add some social media accounts, such as Twitter or Facebook, there’s also a new “Friends” lens, which is a lot like the People app in Windows 8 — basically, you can browse your friends’ latest updates, like, retweet, and so on. Overall, though, not a whole lot has outwardly changed in Ubuntu 13.04 — it’s definitely more of a tweak-and-polish release. For a good overview of Ubuntu 13.04′s new features, watch the video below.

http://www.youtube.com/watch?v=fH2VHiIW_dE

If you want to try out Ubuntu 13.04, your best bet is to download the ISO and install it in VirtualBox — or, if you’re feeling daring, and perhaps a little disillusioned with Windows 8, how about you try running Ubuntu 13.04 as your primary OS? You might be pleasantly surprised. If you’d rather just dangle a toe or two in the water, there’s an excellent guided tour of 13.04 up on the Ubuntu website.

ubuntu-tv-pc-smartphone-tablet
The whole Ubuntu ecosystem: TV, PC, tablet, smartphone (in theory)

Looking ahead, Canonical now has its work cut out with Ubuntu 13.10, which will introduce the Ubuntu Touch interface for smartphones and tablets. Details are fairly scarce at the moment, in accordance with Canonical’s move to a closed-door development process, but it seems like Canonical is attempting to create a single version of Ubuntu that works across PCs, smartphones, tablets, and even TVs (See: Canonical outs Ubuntu TV: Brave or stupid?) Ever since the Unity interface was first introduced, we have presumed that Ubuntu was heading in the direction of mobile devices — and now we’re just six months away from it actually happening. It’s definitely a savvy move for Canonical, with the PC market slowly dying, but whether it can actually carve out a section of the mobile market from Apple, Google, and Microsoft remains to be seen.

Cross-posted from ExtremeTech.

 

Symantec vs AV-Comparatives, Which one do you trust?

Cross-posted from PCMag SecurityWatch:

symantec-calls-test-misleadingLast week independent antivirus lab AV-Comparatives released the results of an on-demand antivirus detection test. The fact that Microsoft came in near the bottom wasn’t big news; the fact that Symantec scored even lower was surprising indeed. In a blog post released today, Symantec decried the entire practice of performing on-demand malware scanning tests, calling it “misleading.”

In the early years of antivirus testing, every test was an on-demand scanning test. Researchers would assemble a collection of known malware, run a full scan, and record the percentage of samples detected. Modern labs work hard to devise tests that more closely reflect a user’s real-world experience, taking into account the fact that the vast majority of infections enter the computer from the Internet. Symantec contends that only the real-world sort of test is valid; I don’t entirely agree.

Crippled Protection?
Alejandro Borgia, senior director of product management for Symantec Corporation, stated categorically in his blog post that “the cited detection rates are misleading and not representative of real-world product efficacy.” Borgia said, “These types of file scanning tests are run in artificial environments that cripple all modern protection features.”

It’s true that AV-Comparatives made sure the test systems had Internet access, thereby giving the Symantec installation access to the powerful cloud-based Norton Insight reputation system. When I asked my Symantec contacts about this, they explained that for full power Norton Insight relies on full information, “how the file was obtained, when it was obtained, or from where it was obtained (e.g. URL and IP address).” An on-demand file scanner test on files whose arrival Symantec’s antivirus did not observe is not the same as when the user actually downloads files. That’s true, but it is the same as when a user installs antivirus to clean up an existing malware problem.

The network intrusion prevention components also got no chance to help out, since the file samples were downloaded before installation of antivirus software. Once again, you’d be in a similar situation when installing antivirus for the first time on an infested system. And of course behavior-based detection never kicks in until a program actually begins to execute.

In response to a query about behavior-based protection taking action only after a malicious file is launched, my Symantec contacts pointed out that “behavior” includes more than actions taken by the program. “Our behavioral technology takes into account a program’s location, how it is registered on the system (e.g., what registry keys refer to it), and many other factors,” they explained. “In most cases, the program will be stopped prior to it causing any harm.”

Is It Misleading?
As to the claim that the test is misleading, AV-Comparatives doesn’t agree. The introduction to the report itself that “the file detection rate of a product is only one aspect,” and points to “other test reports which cover different aspects.”

“It is clearly stated, that only one feature of the product is tested,” said Peter Stelzhammer, co-founder of AV-Comparatives. “If Symantec is thinking the file detection feature is worthless, why is it still included in the product?” Stelzhammer pointed out that file detection is needed for initial cleanup, and that PCs don’t always have an Internet connection. Even so, “the test was run with full internet connection and Symantec cloud features have been granted access to their cloud.”

Borgia likens testing file detection alone to testing a car’s safety systems by first disabling everything but the lap belt, stating that such a test would be “entirely flawed.” And yet, a test like that might well identify problems with a weak lap belt, so “entirely flawed” seems an overstatement.

Real World Tests Only?
Borgia notes that Symantec strongly supports real-world tests, tests “that most closely represent the threat environment and utilize all of the proactive technologies provided with a product.” I can hardly disagree, but such tests require a huge amount of time and effort. The blog post holds up the testing performed by Dennis Labs as one shining example. Dennis Labs records the process of infection from real-world URLs and then uses a Web replay system to repeat the exact same process under each antivirus product’s protection. Admirable indeed, but it takes a lot of time and effort.

AV-Comparatives itself runs real-world tests every day, challenging a collection of antivirus products installed in identical test rigs to defend against malware from hundreds of very new real-world malicious URLs. Every month they summarize the data, and every quarter they release a full Real World Protection report. The process is labor-intensive enough that they rely on help from the University of Innsbruck and on partial funding by the Austrian government.

You’d expect Symantec to shine in this real-world test by AV-Comparatives. “Unfortunately,” noted Stelzhammer, “Symantec did not want to join our main test series.” Symantec chose not to participate, they said, because “AV-Comparatives does not offer vendors a subscription focused solely on real-world tests, while opting out of the file scan test.” However, this strategy seems to have backfired. Even though the company didn’t subscribe, AV-Comparatives put Symantec into the on-demand test “as the results have been highly demanded by our readers and the press.”

Multiple Tests Have Value
Symantec’s blog post concludes, “We look forward to the day when all published tests are real-world tests. In the meantime, readers need to beware of artificial tests that show misleading product comparisons.” I, too, would be thrilled to see more tests that match a user’s real-world experience, but I don’t think we can discard file-detection tests.

Consider this. If you purchase antivirus software for a system that never had protection, you’ll expect it to clean up any and all malware, without griping that it wasn’t given a chance to use its network intrusion prevention. In a case like that you’ll probably look for high scores in a test like the AV-Comparatives on-demand test, a test that fairly closely matches your situation.

For ongoing protection, yes, you’ll want a product that earns top scores in real world tests also. So choose a product that scores high in both areas, and in tests from multiple labs. That way you’ll get protection that can take care of any problems existing at installation and also fend off future malware attacks.

Microsoft patches the security update 2823324

windows update[3]Microsoft is making another attempt to close the privilege elevation hole in the NTFS filesystem’s kernel driver for Windows 7 and Server 2008, including R2. The new patch, 2840149, supersedes security update 2823324, which Microsoft released on its April Patch Tuesday.

However, shortly after releasing it, the software giant had to recall the first update because it caused problems with various third-party programs; it crippled computers and triggered error messages. Kaspersky’s anti-virus programs also started acting up once the update was installed, erroneously assuming that they no longer had a valid licence and discontinuing operation. When re-releasing the update, Microsoft didn’t clarify whether this was the reason for the system malfunctioning.

The new patch is already being deployed via Windows Update. Microsoft is offering a bootable recovery disk as an ISO image to customers whose computers have failed to boot since the first patch was installed.